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SAP Security 


About the Tutorial 


SAP Security is required to protect SAP Systems and Critical Information from 
Unauthorized Access in a Distributed Environment while accessing the system locally or 
remotely. It covers various Authentication Methods, Database Security, Network and 
Communication Security and protecting standard users and other best practices that 
should be followed in maintaining your SAP Environment. 


In a SAP Distributed Environment, there is always a need that you protect your critical 
information and data from unauthorized access. Human Errors, Incorrect Access 
Provisioning shouldn’t allow unauthorized access to system and there is a need to maintain 
and review the profile policies and system security policies in your SAP environment. 


Audience 


This tutorial is suitable for those professionals who have a good understanding about SAP 
Basis tasks and a basic understanding of the system security. After completing this tutorial, 
you will find yourself at a moderate level of expertise in implementation of the security 
concepts in a SAP system. 


Prerequisites 


Before you start with this tutorial, we assume that you are well-versed with SAP Basis 
activities - User Creations, Password Management, and RFC’s. In addition, you should 
have a basic understanding of security terms in the Window and UNIX environment. 


Copyright & Disclaimer 


© Copyright 2018 by Tutorials Point (I) Pvt. Ltd. 


All the content and graphics published in this e-book are the property of Tutorials Point (1) 
Pvt. Ltd. The user of this e-book is prohibited to reuse, retain, copy, distribute or republish 
any contents or a part of contents of this e-book in any manner without written consent 
of the publisher. 


We strive to update the contents of our website and tutorials as timely and as precisely as 
possible, however, the contents may contain inaccuracies or errors. Tutorials Point (1) Pvt. 
Ltd. provides no guarantee regarding the accuracy, timeliness or completeness of our 
website or its contents including this tutorial. If you discover any errors on our website or 
in this tutorial, please notify us at contact@tutorialspoint.com 
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1. SAP Security — Overview 


In a SAP Distributed Environment, there is always a need that you protect your critical 
information and data from unauthorized access. Human Errors, Incorrect Access 
Provisioning shouldn’t allow unauthorized access to any system and there is a need to 
maintain and review the profile policies and system security policies in your SAP 
Environment. 


To make the system secure, you should have good understanding of user access profiles, 
password policies, data encryption and authorization methods to be used in the system. 
You should regularly check SAP System Landscape and monitor all the changes that are 
made in configuration and access profiles. 


The standard super users should be well-protected and user profile parameters and values 
should be set carefully to meet the system security requirements. 


While communicating over a network, you should understand the network topology and 
network services should be reviewed and enabled after considerable checks. Data over the 
network should be well protected by using private keys. 


Why is Security Required? 


To access the information in a distributed environment, there is a possibility that critical 
information and data is leaked to unauthorized access and system security is broken due 
to either - Lack of password policies, Standard super users are not well maintained, or 
any other reasons. 


A few key reasons of breach of access in a SAP system are as follows: 
e Strong password policies are not maintained. 


e Standard users, super user, DB users are not properly maintained and passwords 
are not changed regularly. 


e Profile parameters are not correctly defined. 


e Unsuccessful logon attempts are not monitored and idle user session end policies 
are not defined. 


e Network Communication security is not considered while sending data over internet 
and no use of encryption keys. 


e Database users are not maintained properly and no security measures are 
considered while setting up the information database. 


e Single Sign-on's are not properly configured and maintained in a SAP environment. 


To overcome all the above reasons there is a need that you define security policies in your 
SAP environment. Security parameters should be defined and password policies should be 
reviewed after regular time intervals. 
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The Database Security is one of the critical component of securing your SAP environment. 
So, there is a need that you manage your database users and see to it that passwords are 
well protected. 


The following Security mechanism should be applied in the system to protect SAP 
Environment from any unauthorized access: 


e User Authentication and Management 

e Network Communication Security 

e Protecting Standard Users and Super users 

e Unsuccessful Logons Protections 

e Profile parameters and password policies 

e SAP System Security in Unix and Windows Platform 


e Single Sign-On Concept 


User 
Database Authentication 


Security & Management 


Unsucessful 
logon attempts 
Monitor 


So, the security in SAP system is required in a distributed environment and you need to 
be sure that your data and processes support your business needs without allowing 
unauthorized access to critical information. In a SAP system, human errors, negligence, 
or attempted manipulation on the system can result in loss of critical information. 
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2. SAP Security — User Authentication & 


Management 


If an unauthorized user can access SAP system under a known authorized user and can 
make configuration changes and manipulate system configuration and key policies. If an 
authorized user has access to important data and information of a system, then that user 
can also access other critical information as well. This enhances the use of secure 
authentication to protect the Availability, Integrity and Privacy of a User System. 


Authentication Mechanism in a SAP System 


Authentication mechanism defines the way you access your SAP system. There are various 
authentication methods that are provided: 


e User Id’s and user management tools 
e Secure Network Communication 
e SAP Logon Tickets 


e X.509 Client Certificates 


User ID’s and User Management Tools 


Most common method of authentication in a SAP system is by using the username and 
password to login. The User ID’s to login are created by the SAP Administrator. To provide 
secure authentication mechanism via the username and password, there is a need to 
define password policies that doesn’t allow users to set easy predicted password. 


SAP provides various default parameters that you should set to define password policies- 
password length, password complexity, default password change, etc. 


(E User System Help 


© 
SAP 


New password 


client | Information 
Welcome to the IDES ECC 6.0 incl. EhP7 


n 
User 

y aLe) 
Password ràkkkkkkkkkkk| 


Logon Language 
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User Management Tools in a SAP System 


SAP NetWeaver System provides various user management tools that can be used to 
effectively manage users in your environment. They provide very strong authentication 
method for both type of NetWeaver Application servers - Java and ABAP. 


Some of the most common User Management Tools are: 


User Management for ABAP Application Server (Transaction Code: SU01) 


You can use user management Transaction-Code SU01 to maintain users in your ABAP 
based Application Servers. 


i User Edit Goto Info. Environment System Help 


2 "|< QQE 


User Maintenance: Initial Screen 
D 2 v TOSA 


r a 
User 
È F 


Alias 


SAP NetWeaver Identity Management 


You can use SAP NetWeaver Identity Management for user management as well as for 
managing roles and role assignments in your SAP environment. 


Display Identity 


Unique 10 IDM_ADMIN Display Name The Admin Lest Mame Admin First Mame John 
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PFCG Roles 


You can use profile generator PFCG to create roles and assign authorizations to users in 
ABAP based systems. 


Transaction Code: PFCG 


[E Role Edit Goto Utilities Environment System Help 
© HIRE 


Role Maintenance 


O T Se [i] & Transactions 


F n 
Role li Joe} 
È J 


(EE (E (show Documentation | 


Central User Administration 


You can use CUA to maintain users for multiple ABAP-based systems. You can also sync it 
with your directory servers. Using this tool, you can manage all the user master record 
centrally from the client of the system. 


Transaction Code: SCUA and create distribution model. 


E Distribution Model Edit Goto Environment System Help 


© vi<EHlaeee 


Maintain system landscape 


D T 


Central User Administration Distribution Model 


Model view 
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User Management Engine UME 


You can use UME roles to control the user authorization in the system. An administrator 
can use actions which represent the smallest entity of UME role that a user can use to 
build access rights. 


You can open UME administration console using SAP NetWeaver Administrator option. 


Password Policy 


A password policy is defined as a set of instructions that a user must follow to improve 
system security by using strong passwords and by using them properly. In many 
organizations, password policy is shared as a part of security awareness training and it is 
mandatory for users to maintain the policy for security of critical systems and information 
in an organization. 


Using password policy in a SAP system, an administrator can setup system users to deploy 
strong passwords that are not easy to break. This also helps to change the password at 
the regular time intervals for system security. 


The following password policies are commonly used in a SAP System: 


Default/Initial Password Change 


This allows the users to change the initial password immediately when used for the first 
time. 


Password Length 


In a SAP system, the minimum length for passwords in SAP Systems is 3 by default. This 
value can be changed using profile parameter and maximum length that is allowed is 8. 


Transaction Code: RZ11 


Parameter Name: login/min_password_Ing 
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Maintain Profile Parameters 


Integer Interval 
i interval [3,40] 


V 
login/min_password_Ing 
I 

M 


Expansion Level 
Kernel Default 
Standard Profile 


You can click on documentation of the profile parameter for this policy and you can see 
the detailed documentation as from SAP as follows: 


nt 


ABU sE 


Parameter 
login/min_password_Ing 
Short text 


Minimum password length 


Parameter Description 


This parameter specifies the minimum length of the logon password. The password must have at least 
three characters, however the administrator can specify a greater minimum length. This setting applies 
when new passwords are assigned and when existing passwords are changed or reset. 


Application Area 


Logon 
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Parameter: login/min_password_lIng 
Short text: Minimum password length 


Parameter Description: This parameter specifies the minimum length of the logon 
password. The password must have at least three characters. However, the administrator 
can specify a greater minimum length. This setting applies when new passwords are 
assigned and when existing passwords are changed or reset. 


Application Area: Logon 

Parameter Unit: Number of characters (alphanumeric) 
Default Value: 6 

Who is permitted to make changes? Customer 
Operating System Restrictions: None 


Database System Restrictions: None 


Illegal Passwords 


You cannot select the first character of any password as a question mark (?) or an 
exclamation mark (!). You can also add the other characters that you want to restrict in 
the illegal password table. 


Transaction Code: SM30 Table Name: USR40 


© eGe 
Maintain Table Views: Initial Screen 


(i) Find Maintenance Dialog 


Table/View (sed fe, (9 


| Restrict Data Range 
e)No Restrictions 
Enter conditions 
Variant 


ey Display Z Maintan |e Transport |a customizing | 


Once you enter the table - USR40 and click on Display at the top, it will show you the 
list of all the impermissible passwords. 
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Change View "Table for illegal passwords”: Overview 


ê% | New Entries DB 9 EA R E 


Table for illegal passwords 
Password Patt./Indiv, Value Case-Sens | M 


E 


Once you click on New Entries, you can enter the new values to this table and also select 
the case sensitive check box. 


Change View "Table for illegal passwords”: Overview 


ê% | New Entries DB DERE 


Table for illegal passwords 
Password Patt.fIndiv. Value 


Password Pattern 


You can also set that the first three characters of the password cannot appear in the same 
order as part of the user name. Different password patterns that can be restricted using 
password policy include: 


e The first three characters cannot all be the same. 
e The first three characters cannot include space characters. 


e The password cannot be PASS or SAP. 


Password Change 


In this policy, a user can be allowed to change his or her password almost once a day, but 
an administrator can reset a user’s password as often as necessary. 


A user shouldn't be allowed to reuse the last five passwords. However, an administrator 
can reset the password that is used by a user previously. 


Profile Parameters 


There are different profile parameters that you can define in a SAP system for user 
management and password policy. 


In a SAP system, you can display the documentation for each profile parameter by going 
to Tools > CCMS > Configuration > Profile Maintenance (Transaction: RZ11). Enter 
the parameter name and click on Display. 
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E Menu Edit Favorites Extras System Help 
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SAP Easy Access 
fo © | sa0thermenu |% Ye A wv a | [aoreaterole | Bass 


In the next window that shows up, you must enter the parameter name, you can see 2 
options: 


Display: To display the value of parameters in SAP system. 


Display Docu: To display SAP documentation for that parameter. 


© a « AR x 


Maintain Profile Parameters 
[e 


Profile Parameter Maintenance 


When you click on the Display button, you will be moved to Maintain Profile Parameter 
screen. You can see the following details: 


e Name 

e Type 

e Selection Criteria 

e Parameter Group 

e Parameter Description and many more 


At the bottom, you have current value of parameter login/min_password_Ing. 


10 
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Maintain Profile Parameters 


Metadata for Parameter login/min_password_Ing 
Value 


ame gin) min_passvord_Ing 
Tye finite ger interval 
Further Selection Criteria Interval [3,40] 


SS Wi 

Dynamic Parameter te | 

Vector Parameter o O SO 

Has Subparameters = č > oo ë y” fk 

Check Function Exists 
Value 


Current Value of Parameter login/min_password_Ing 


Expansion Level ‘alu 


Kernel Defaut e 
Standard Profile o E 
instance Profile / / /// | 
(Current Value 


When you click on Display Doc option, it will display SAP documentation for the 
parameter. 


Parameter 
login/min_password_Ing 

Short text 

Minimum password length 
Parameter Description 


This parameter specifies the minimum length of the logon password. The password must have at least three characters, 
however the administrator can specify a greater minimum length. This setting applies when new passwords are assigned and 
when existing passwords are changed or reset. 


Application Area 


Logon 


Parameter Unit 


Number of characters (alphanumeric) 
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Parameter Description 


This parameter specifies the minimum length of the logon password. The password must 
have at least three characters. However, the administrator can specify a greater minimum 
length. This setting applies when new passwords are assigned and when existing 
passwords are changed or reset. 


Each parameter has a default value, permitted value as below: 


Parameter Description Default Permitted value 


login/min password lng Minimum length 3 3-8 


login/password expiration time Number of days after 0 (no limit) any numerical 
which a password must value 
be changed. 


There are different password parameters in a SAP system. You can enter each parameter 
in the RZ11 transaction and can view the documentation. 


e login/min_password_diff 

e login/min_password_digits 

e login/min_password_letters 

e login/min_password_specials 

e login/min_password_lowercase 

e login/min_password_uppercase 

e login/disable_password_logon 

e login/password_charset 

e login/password_downwards_compatibility 


e login/password_compliance_to_current_policy 
To change the Parameter value, run Transaction RZ10 and select the Profile as shown 
below: 

e Multiple application servers: Use DEFAULT profile. 

e Single Application servers: Use Instance Profile. 


Select Extended Maintenance and click Display. 


12 


SYLEARNING 


S9 tutorialspoin 


SAP Security 


Edit Profiles 


[Create eCheck [Dcopy Import 


Profile EC3_DVEBMGS00_CIEC3 { Instance profile 
Version 000007 { Saved, activated 


| Edit Profile 
Administrative Data 
Basic maintenance 


= 
© Extended maintenance 


22.09.2015 19:58:49 


SAPDBHOST 

dbms/type 

\ dbs/mss/server 

dbs/mss/dbname 

dbs/mss/schema 

SAPSYSTEMNAME 

SAPGLOBALHOST 

system/type 

rsdb/ssfs_connect 

rdisp/mshost 

rdisp/msserv 

rdisp/msserv_internal 

enque/process_location 

enque/serverhost 

enque/serverinst 

is/HTTP/show_detailed errors 

icf/user_recheck 

icm/HTTP/ASJava/disable url session _trackin 

service/protectedwebmethods SDEFAULT 

rsec/ssfs_datapath $ (DIR_GLOBAL) $ (DIR _SEP)security$ (DIR_SEP) rsecssfs¢ (DIR_SEP) data 
rsec/ssfs_keypath $ (DIR_GLOBAL) $ (DIR_SEP) security$ (DIR_SEP) rsecssfs¢ (DIR_SEP)key 
gu/acl_ mode l 

gu/sec_info $ (DIR_GLOBAL) $ (DIR_SEP)secinfo$ (FT_DAT) 
login/password downwards compatibility 0 

login/system_client ool 

rdisp/TRACE 1 


When you click on the Parameter tab, you can change the value of parameter in new 
window. You can also create the new parameter by clicking on Create (F5). 


You can also see the status of the parameter in this window. Type the parameter value 
and click on Copy. 
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Copy © Eline  EdLine |“ PARAM+ | w PARAM- 


Unsubstituted standard value: 
001 


Substituted standard value: 


You will be prompted to save when you exit the screen. Click on Yes to save the parameter 
value. 


[© Maintain Profile ‘DEFAULT’ Version *... 


= 
The parameter was changed 


Save 
changes? 
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End of ebook preview 
If you liked what you saw... 


Buy it from our store @ https://store.tutorialspoint.com 
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